Comment by jmalicki

5 days ago

MCMC can be difficult for this reason. There are concepts like "k-dimensional equidistribution" etc. etc... where in some ways the requirements of a PRNG are far, far, higher than a cryptographically sound PRNG, but also in many ways less so, because you don't care about adversarial issues, and would prefer speed.

If you can't generate all possible assignments, you care about second and third order properties etc. of the sequence.

19 comments

jmalicki

Reply
coppsilgold  4 days ago

Does there exist a single MCMC example that performs poorer when fed by a CSPRNG (with any fixed seed, including all zeroes; no state reuse within the simulation) as opposed to any other RNG source?

  • SAI_Peregrinus  4 days ago

    If there did, it'd be a distinguisher attack on that CSPRNG. So for a non-broken CSPRNG, the answer is "no", by the definition of "non-broken CSPRNG".

mananaysiempre  5 days ago

> There are concepts like "k-dimensional equidistribution" etc. etc... where in some ways the requirements of a PRNG are far, far, higher than a cryptographically sound PRNG

Huh? If you can chew through however many gigabytes of the supposed CSPRNG’s output, do some statistics, and with a non-negligible probability tell if the bytes in fact came from the CSPRNG in question or an actual iid random source, then you’ve got a distinguisher and the CSPRNG is broken.

  • jmalicki  4 days ago

    It all comes down to actual specific statistical tests, and how hard they are to break in specific applications.

    No CSPRNG is absolutely perfect, no CSPRNG has ever absolutely passed every statistical test thrown at it.

    In MCMC, it stresses very different statistical tests than the typical CSPRNG tests.

    Every PRNG is absolutely broken if you want to be absolute about it. MCMC and crypto applications push on different aspects where statistical issues will cause application level failures.

    See e.g. this paper https://www.cs.hmc.edu/tr/hmc-cs-2014-0905.pdf

    (it's not the end all be all, but it's a good survey of why this stuff matters and why it's different)

    • mananaysiempre  4 days ago

      > no CSPRNG has ever absolutely passed every statistical test thrown at it

      As far as I know (admittedly not a high standard), there is no published statistical test that you could run on, for example, a single AES-256-CTR bitstream set up with a random key and IV, running on a single computer, that would be able to tell you with a meaningful likelihood ratio that you were looking at a pseudorandom rather than truly random input before the computer in question broke down. (I’m assuming related-key attacks are out of scope if we’re talking about an RNG for simulation purposes.)

      13 replies →